As I said in another comment, Bartender had no target! It was not an attack. An app was sold by one developer to another developer. End of story.
> If you know of someone specific you want to target who uses it
But you don't. And you don't in the case of Little Snitch either.
You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
> Someone who wanted to target you
Nobody wants to target me. Nobody cares about me. I am insignificant.
The point is that it shows it can happen. You’re a browser extension developer, surely you know how often it happens that developers of popular extensions are approached by shady businesses and sometimes do even sell.
> You can dream up a bunch of absurd hypothetical scenarios, but they are not the reality.
As someone else has pointed out to you, not hypothetical.
https://news.ycombinator.com/item?id=47699068
> Nobody wants to target me. Nobody cares about me. I am insignificant.
You give yourself too little credit. I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people. Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
Yes, developers of free extensions who sell for a pittance.
I don't have a popular extension. My extension is relatively expensive and thus unpopular. I don't have enough users to be interesting to shady businesses. My extension is more valuable to me than to anyone else, because I, one person, can make a living from it.
> As someone else has pointed out to you, not hypothetical.
That link seems a bit silly. There's a screenshot with no explanatory context whatsoever. There's a list of items, many of which look quite mundane and uninteresting. Certainly it is not suggesting acquiring the company for millions of dollars. It sounds like someone—could even be an intern for all we know—is interested in attacking the app from the outside.
I agree with tptacek: "This is clownish" https://news.ycombinator.com/item?id=13813828
> You give yourself too little credit.
No, I give myself too much credit. ;-)
> I know of several developers and other people with influence who use your extensions with complete trust. Compromising you means compromising them, which means compromising even more people.
What is the value of compromising these people? Oh noes, the CIA can now write Daring Fireball articles!
> Jia Tan has aptly demonstrated you don’t need to directly attack your final target, only a link in the chain, even if it looks insignificant.
What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems, then my software or Little Snitch is the least of our worries.
I do specifically and intentionally avoid using NPM, because of frequent compromises. Little Snitch is not even JavaScript, so no worries there.
I believe you, and as a fellow indie developer trust you and your intentions and that you’re careful to not be compromised. But if I’m being honest with myself I don’t have concrete proof of any of those. So I trust but also try to limit the blast radius if anything goes wrong. Does that make sense? I think you might agree there.
Your blog helps with that trust and with understanding the human behind it.
> Certainly it is not suggesting acquiring the company for millions of dollars.
Alright, yeah, I see we’re talking a bit past each other in that regard. You’re right that’s how the conversation started (before I joined in) but I don’t care for that angle fully either. I agree there are more plausible ways to achieve the objective.
> Oh noes, the CIA can now write Daring Fireball articles!
Not sure that’d be a downgrade. Maybe they could fix the Markdown perl script, too. Joking aside, I think there would be better targets, like someone on Apple’s Passwords team.
> What chain? I have no third-party dependencies. If someone can compromise Apple's operating systems
I don’t mean it in the sense of software dependencies, but in the sense that some app you use would compromise you. You know macOS’ permissions are mostly security theatre. We know people inside Apple use third-party apps. I can imagine ways of exploiting that, given a bit more knowledge of people from inside (which could be gathered from working there for a while, trawling social media, maybe reading Gruber’s emails, …).
> I do specifically and intentionally avoid using NPM, because of frequent compromises.
Same, no argument from me there.
You seem to be waffling here between targeted and untargeted attacks.
There's a world of difference between compromising me or an Apple employee and compromising my software or Apple's software. You don't magically get the latter from the former.
Untargeted attacks are just looking for the usual stuff, e.g., money. They don't care about who the victims are or what else they have.
It would require a targeted attack to insert mallicious code into my software or into Apple's software. You claim, "I can imagine ways of exploiting that," but I don't actually believe you. If you can imagine it, then explain exactly how.
There's no evidence that anyone is targeting my software or that anyone has any reason to target my software. Even if I downloaded a typical malware app from the web, that wouldn't result in malicious code getting shipped in my software.
I'm not aware of anyone on the Apple Passwords team using my software, so if someone were trying to attack me to get to them, that's seems a bit fruitless, to use a pun. In any case, the chain from compromising me, to compromising my software releases, to compromising an Apple engineer, to compromising Apple software releases, is convoluted to the extreme and would require much more specifics than anyone has given here (or is capable of giving).
In any case, I'm quite careful—though not tin foil hat paranoid—about which software I download and run on my Mac, and I've never downloaded malware in more than 20 years as a Mac user. Obviously I'm careful about my own privacy and security, since I use Little Snitch too!
Why do you think it matters? Little Snitch is used by enough people that it would be completely worthwhile as just an asset. With an infinite budget you don't look for the exploits once you have the target; you accumulate the exploits, and use them as you get targets.
I don't know how you think these apps are useful for small-time criminals to exploit, but governments somehow wouldn't be able to figure out a use for them. It reeks of "I have nothing to hide."
Maybe they use Little Snitch just to figure out what you're running, use another exploit to get into that, get blackmail material on one of your family members through connections made from files on your computer, and offer not to release it and to donate $500K to your project (that they'll set up for you, and will come from some obscure European foundation's fund), or "invest" (with no expectation or even mechanism for getting a return) into your LLC if you insert code into your software. Or even simply accept a pull request, which will be totally deniable if the code gets caught, and the pull request eventually traced to a Chinese/Russian/Iranian/North Korean IP.
I have no idea what evidence you expect people to leave. The goal is not to leave evidence. Why would someone announce that they were interested in you or targeting you?